diff options
| author | Jan Zeleny <jzeleny@redhat.com> | 2011-03-29 02:46:25 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-04-25 08:06:34 -0400 |
| commit | e81a816cddab4a62f263d1a0274d5d3f101e8e0f (patch) | |
| tree | de3d6baa2ac2d39c4d50d1ce5a911e435dc0e3a9 /src/providers/ipa | |
| parent | d03617ab9106c14b46ab3dc85d5c8ced393da533 (diff) | |
| download | sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.tar.gz sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.tar.bz2 sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.zip | |
Modify principal selection for keytab authentication
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
Diffstat (limited to 'src/providers/ipa')
| -rw-r--r-- | src/providers/ipa/ipa_common.c | 74 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_common.h | 2 |
2 files changed, 54 insertions, 22 deletions
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 61859a98..7ba4fd5a 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -28,6 +28,7 @@ #include "providers/ipa/ipa_common.h" #include "providers/ldap/sdap_async_private.h" +#include "util/sss_krb5.h" struct dp_option ipa_basic_opts[] = { { "ipa_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, @@ -69,6 +70,7 @@ struct dp_option ipa_def_ldap_opts[] = { { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ldap_sasl_mech", DP_OPT_STRING, { "GSSAPI" } , NULL_STRING }, { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, /* use the same parm name as the krb5 module so we set it only once */ @@ -263,10 +265,14 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, struct sdap_options **_opts) { TALLOC_CTX *tmpctx; - char *hostname; + char *primary; char *basedn; char *realm; char *value; + char *desired_realm; + char *desired_primary; + bool primary_requested = true; + bool realm_requested = true; int ret; int i; @@ -323,26 +329,6 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE))); } - /* set the ldap_sasl_authid if the ipa_hostname override was specified */ - if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_AUTHID)) { - hostname = dp_opt_get_string(ipa_opts->basic, IPA_HOSTNAME); - if (hostname) { - value = talloc_asprintf(tmpctx, "host/%s", hostname); - if (!value) { - ret = ENOMEM; - goto done; - } - ret = dp_opt_set_string(ipa_opts->id->basic, - SDAP_SASL_AUTHID, value); - if (ret != EOK) { - goto done; - } - } - DEBUG(6, ("Option %s set to %s\n", - ipa_opts->id->basic[SDAP_SASL_AUTHID].opt_name, - dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_AUTHID))); - } - /* set krb realm */ if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM)) { realm = dp_opt_get_string(ipa_opts->basic, IPA_KRB5_REALM); @@ -362,6 +348,52 @@ int ipa_get_id_options(struct ipa_options *ipa_opts, dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM))); } + /* Configuration of SASL auth ID and realm */ + desired_primary = dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_AUTHID); + if (!desired_primary) { + primary_requested = false; + desired_primary = dp_opt_get_string(ipa_opts->id->basic, IPA_HOSTNAME); + } + desired_realm = dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_REALM); + if (!desired_realm) { + realm_requested = false; + desired_realm = dp_opt_get_string(ipa_opts->id->basic, IPA_KRB5_REALM); + } + + ret = select_principal_from_keytab(tmpctx, + dp_opt_get_string(ipa_opts->auth, + KRB5_KEYTAB), + desired_primary, desired_realm, + NULL, &primary, &realm); + if (ret != EOK) { + goto done; + } + + if ((primary_requested && strcmp(desired_primary, primary) != 0) || + (realm_requested && strcmp(desired_realm, realm) != 0)) { + DEBUG(1, ("Configured SASL auth ID/realm not found in keytab.\n")); + ret = ENOENT; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->id->basic, + SDAP_SASL_AUTHID, primary); + if (ret != EOK) { + goto done; + } + DEBUG(6, ("Option %s set to %s\n", + ipa_opts->id->basic[SDAP_SASL_AUTHID].opt_name, + dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_AUTHID))); + + ret = dp_opt_set_string(ipa_opts->id->basic, + SDAP_SASL_REALM, realm); + if (ret != EOK) { + goto done; + } + DEBUG(6, ("Option %s set to %s\n", + ipa_opts->id->basic[SDAP_SASL_REALM].opt_name, + dp_opt_get_string(ipa_opts->id->basic, SDAP_SASL_REALM))); + /* fix schema to IPAv1 for now */ ipa_opts->id->schema_type = SDAP_SCHEMA_IPA_V1; diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index 5ff0ba4f..12a49270 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -35,7 +35,7 @@ struct ipa_service { /* the following defines are used to keep track of the options in the ldap * module, so that if they change and ipa is not updated correspondingly * this will trigger a runtime abort error */ -#define IPA_OPTS_BASIC_TEST 48 +#define IPA_OPTS_BASIC_TEST 49 /* the following define is used to keep track of the options in the krb5 * module, so that if they change and ipa is not updated correspondingly |